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About this Book and the Library 


The Access Manager Applications Configuration Guide provides information on importing, 
configuring, and managing the connectors you use with Access Manager. 


Intended Audience 


This guide provides information for Access Manager administrators who are responsible for 
configuring and managing the single sign-on to Access Manager. Administrators must know and 
understand the following concepts: 

¢ Secure Assertion Markup Language (SAML) 

+ Extensible Markup Language (XML) 

+ Public Key Infrastructure (PKI) digital signature concepts and Internet security 

¢ Secure Socket Layer/Transport Layer Security (SSL/TLS) 

+ Hypertext Transfer Protocol (HTTP and HTTPS) 

¢ Uniform Resource Identifiers (URLs) 

+ Domain Name System (DNS) 

¢ Firewalls 

¢ Public and private networks 

¢ Connected applications 


Other Information in the Library 


The library provides the following information resources: 


Installation and Upgrade Guide 
Provides an introduction to Access Manager and describes the installation and upgrade 
procedures. 

Help 
Provides context-sensitive information and step-by-step guidance for common tasks, as well as 
definitions for each field on each window. 

Developer Documentation 


Provides a collection of developer tools and examples to design a flexible and expandable 
access management system to enable your applications to interact with the Identity 
Management capabilities of Access Manager, including federation, provisioning, and the secure 
delivery of identity information to client-based applications. 


NOTE: Contact namsdk@netiq.com for any query related to the Access Manager SDK. 
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About this Book and the Library 


About NetIQ Corporation 


We are a global, enterprise software company, with a focus on the three persistent challenges in your 


environment: Change, complexity and risk—and how we can help you control them. 


Our Viewpoint 


Adapting to change and managing complexity and risk are nothing new 


In fact, of all the challenges you face, these are perhaps the most prominent variables that deny 
you the control you need to securely measure, monitor, and manage your physical, virtual, and 


cloud computing environments. 


Enabling critical business services, better and faster 


We believe that providing as much control as possible to IT organizations is the only way to 
enable timelier and cost effective delivery of services. Persistent pressures like change and 
complexity will only continue to increase as organizations continue to change and the 
technologies needed to manage them become inherently more complex. 


Our Philosophy 


Selling intelligent solutions, not just software 


In order to provide reliable control, we first make sure we understand the real-world scenarios in 


which IT organizations like yours operate — day in and day out. That's the only way we can 


develop practical, intelligent IT solutions that successfully yield proven, measurable results. And 


that's so much more rewarding than simply selling software. 


Driving your success is our passion 


We place your success at the heart of how we do business. From product inception to 


deployment, we understand that you need IT solutions that work well and integrate seamlessly 
with your existing investments; you need ongoing support and training post-deployment; and you 
need someone that is truly easy to work with — for a change. Ultimately, when you succeed, we 


all succeed. 


Our Solutions 


¢ Identity & Access Governance 

+ Access Management 

¢ Security Management 

¢ Systems & Application Management 
+ Workload Management 

¢ Service Management 
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Contacting Sales Support 


For questions about products, pricing, and capabilities, contact your local partner. If you cannot 
contact your partner, contact our Sales Support team. 


Worldwide: www.netig.com/about_netiq/officelocations.asp 
United States and Canada: 1-888-323-6768 

Email: info@netig.com 

Website: www.netig.com 


Contacting Technical Support 


For specific product issues, contact our Technical Support team. 


Worldwide: www.netig.com/support/contactinfo.asp 
North and South America: 1-713-418-5555 

Europe, Middle East, and Africa: +353 (0) 91-782 677 

Email: support@netig.com 

Website: www.netigq.com/support 


Contacting Documentation Support 


Our goal is to provide documentation that meets your needs. The documentation for this product is 
available on the NetIQ website in HTML and PDF formats on a page that does not require you to log 
in. If you have suggestions for documentation improvements, click comment on this topic at the 
bottom of any page in the HTML version of the documentation posted at www.netig.com/ 
documentation. You can also email Documentation-Feedback@netig.com. We value your input and 
look forward to hearing from you. 


Contacting the Online User Community 


NetIQ Communities, the NetIQ online community, is a collaborative network connecting you to your 
peers and NetIQ experts. By providing more immediate information, useful links to helpful resources, 
and access to NetIQ experts, NetIQ Communities helps ensure you are mastering the knowledge you 
need to realize the full potential of IT investments upon which you rely. For more information, visit 
http://community.netig.com. 
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Overview of Access Manager 
Applications 


As an administrator, you have many users in your user stores that require access to many different 
web applications. In the past, you had to perform complex steps to configure identity federation 
between Access Manager and different web applications, depending on the authentication protocol. 
The identity federation allowed you to provide single sign-on (SSO) to your users. For more 
information, see “Federated Authentication” in the NetIQ Access Manager 4.3 Administration Guide. 


Access Manager now provides a simplified way to give the users secure, single sign-on (SSO) 
access to different web applications. Access Manager contains the Applications page, under 
Administration Tasks in the Administration Console that allows you to configure basic single sign-on 
and SAML 2.0 applications. 


Access Manager uses connectors to establish the connection between Access Manager and the 
applications. The User Portal page displays the applications as appmarks that the system 
automatically creates when you configure the connector for the application. For more information 
about appmarks, see “Configuring Appmarks” in the NetIQ Access Manager 4.3 Administration 
Guide. 


There are different types of connectors that allow you to connect the applications. 


¢ Section 1.1, “Understanding Basic Single Sign-On,” on page 9 
¢ Section 1.2, “Understanding Federated Single Sign-On with SAML 2.0,” on page 11 


Understanding Basic Single Sign-On 


The purpose of Basic Single Sign-on (SSO) is to allow users to securely store their credentials for 
existing accounts of on-line applications while providing a single sign-on experience for users. For 
example, a user Maria has an account for Evernote. Maria uses Evernote to take notes for her job in 
marketing. Instead of logging into Evernote with separate credentials each time she wants to use it, 
she would log into Evernote once and Basic SSO will save and replay her saved credential every time 
she accesses Evernote. 


Basic SSO and Form Fill policies both automatically populate HTML forms. Form Fill policies scan 
each login page, accelerated through the Access Gateway, to see if the Form Fill policy can populate 
the credential information. For more information, see “Form Fill Policies” in the NetIQ Access 
Manager 4.3 Administration Guide. Basic SSO does not go through the Access Gateway. Basic SSO 
provides connectors for the different applications. You configure the connector for the specific site. 
Basic SSO captures the users’ credentials through a browser plugin or extension. It securely stores 
the users’ credentials on the Identity Server, never using the Access Gateway. 


Access Manager protects the users’ credentials through an SSL connection and AES-256 encryption 
on Access Manager. The following graphic depicts how Access Manager securely stores the 
credentials. 
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Figure 1-1 How Access Manager Securely Stores Credentials 
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For the users to experience Basic SSO to an application, they must install the appropriate Basic SSO 
extension or plugin for their browser or install the MobileAccess app. The following occurs the first 
time a user logs in to access a Basic SSO application: 


1. The user logs in to the User Portal page using their Access Manager credentials. 
2. The user sees the appmarks for the available applications and clicks the appropriate appmark. 


3. If the Basic SSO extension or plugin for the browser is not installed on the computer, Access 
Manager prompts the user to install it. 


4. After installing the extension or plugin, the user must go back to the User Portal and click on the 
application a second time. 


5. The extension or plugin opens a new tab where the user must enter their user name and 
password for the application. 


The user must enter the user name and password for the application once. 


6. The extension or plugin captures the user’s credentials for the application, then the extension or 
plugin sends the user’s credentials to the Access Manager over an SSL connection. 


7. The Access Manager encrypts the user’s credentials with AES-256 encryption, and then stores 
the user name and password in the credential store that is part of Identity Server. 


Identity Server encrypts the user’s credentials with an encryption key that is unique per user 
account in Access Manager. 


8. Access Manager then redirects the user to the application over an SSL connection. 


In subsequent Access Manager sessions, the user can log in with the Access Manager credentials 
and access the destination application without providing the additional credentials for the application. 
Identity Server securely retrieves and submits the user’s credentials for an automatic login on behalf 
of the user. This provides the user with a single sign-on experience. 


The user must install the Basic SSO browser extension on each device where the user wants to 
access the application. Access Manager automatically prompts the user to install the extension the 
first time that the user accesses the application’s appmark from a different device, even if the user’s 
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credentials for the application are available in the user store. The extension then retrieves and 
submits the user’s credentials for the selected application from Access Manager for an automatic 
login. 


Typically, users have a different login user name and password for their individual accounts for each 
application. A user can have only one account per application. Access Manager stores the user’s 
current credentials, but users still have the responsibility to maintain the credentials. The User Portal 
page, on the menu on the user’s name, provides a way for users to modify their credentials if they are 
expired or stolen through the Clear Single Sign-on Credentials option. 


If the user changes the user name or password to the account for the application, or if the user 
cancels the account, the user’s stored credentials are no longer valid. The automatic login fails, and 
the browser extension takes the user to the application’s login page where the user can log in with 
new credentials. Access Manager removes the old credentials and stores the user’s new credentials 
for subsequent logins to the application. 


Understanding Federated Single Sign-On with 
SAML 2.0 


To understand the federated single sign-on process with Access Manager you must understand 
SAML 2.0. If you do not have a good understanding of SAML 2.0 proceed to Section 1.2.1, 
“Understanding SAML 2.0,” on page 11. If you understand SAML 2.0, proceed to Section 1.2.2, 
“Understanding the SAML 2.0 Federated Single Sign-On Processes with Access Manager,” on 
page 12. 


Understanding SAML 2.0 


To understand and use the SAML 2.0 connectors Access Manager provides, you must have a very 
good understanding of SAML 2.0. SAML, developed by the Security Services Technical Committee of 
the Organization for the Advancement of Structured Information Standards (OASIS), is an XML- 
based framework for communicating user authentication, entitlement, and attribute information. For 
more information see, Security Assertion Markup Language (SAML) V2.0 Technical Overview. 


SAML 2.0 creates a two-way agreement between two vendors asserting that the information provided 
is valid. It provides a standard framework to share this information so you do not have to recreate the 
configuration for every vendor you want to share information. 


To use the SAML 2.0 connectors provided for Access Manager, you must understand the basic 
concepts and components of SAML 2.0. SAML 2.0 defines each of the components using XML 
schema. You must be able to read and format documents in XML to use the connectors for SAML 2.0. 


XML: SAML 2.0 is an XML-based framework. This means you must understand the XML format, 
structure, elements, and how it defines rules for encoding documents. For more information, see 
Introduction to XML on the www.w3schools.com website. 


Assertion: SAML assertions define the syntax for creating XML-encoded assertions to describe 
authentication, attribute, and authorization information for an entity. The SAML 2.0 connectors help 
create the assertions for Access Manager and the federation applications. 


Attributes: LDAP attributes passed between two entities. In this cases, it is LDAP attributes passed 
between Access Manager and connected federation applications. 
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Metadata: Metadata defines how SAML 2.0 shares configuration information between two 
communicating entities. You must be able to access and share the Access Manager metadata 
information with the federated application. You must also be to access and share the federated 
application metadata with Access Manager. 


Protocols: SAML 2.0 supports HTTP, HTTPS, and SOAP protocols. The SAML 2.0 connectors use 
HTTPS to establish a secure connection between Access Manager and the federated applications. 
To establish the secure HTTPS connection, you must obtain the certificate from the metadata from 
Access Manager and the application. Each side then uses the other side’s certificate to create the 
secure connection. 


Understanding the SAML 2.0 Federated Single Sign-On 
Processes with Access Manager 


Federated single sign-on relies on a trust relationship between an identity provider and a service 
provider to give users access to web services or applications. Access Manager uses SAML 2.0 
(Security Assertion Markup Language) to create federated connections to web services and 
applications. The web services and applications are services providers and Access Manager is the 
identity provider. 


SAML 2.0 is an open standard for federation that provides a vendor-neutral means of exchanging 
user identity, authentication, attribute information, and authorization information. SAML 2.0 defines 
the structure and content of assertions and protocol messages used to transfer this information 
between Access Manager and the web services or applications (Service providers). For more 
information about SAML 2.0, see Section 1.2.1, “Understanding SAML 2.0,” on page 11. 


Using a SAML 2.0 connection, the service provider (web services and applications) trusts the identity 
provider (Access Manager) to validate the user’s authentication credentials and to send identity 
information about the authenticated user. The service provider accepts the data and uses it to give 
the user access to the web service or application. This data exchange is transparent for the user. It 
allows the user to access the web service or application without providing additional credentials. 


For example, Figure 1-2 shows you how a SAML single sign-on authentication works with Access 
Manager. 
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Figure 1-2 Access Manager Single Sign-On with SAML 2.0 
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1. The user Steve Smith authenticates to the corporate identity server (Access Manager) with his 
corporate user name and password. 


2. Access Manager authenticates Steve against the user name steve s. and associated password 
in the user store. 


3. Access Manager presents the User Portal page to Steve with an appmark to the 401k application 
that he is entitled to use. 


4. When Steve clicks the 401k appmark on the User Portal page, Access Manager produces an 
authentication assertion or token for the 401k application (service provider) that contains the 
identity attributes needed for authentication. 


5. The 401k application (service provider) consumes the assertion or token to establish a security 
context for the user with Access Manager (identity provider). 


6. The 401k application uses the assertion or token to validate that steve s. is ssmith_01 and 
authorizes the authentication (resource request). 


7. The 401k application (service provider) establishes a session with Steve. 


Through this process, Steve entered his user name and password once for the corporate identity 
server. 


In the past, Access Manager allowed you to configure federated authentication using SAML 2.0 to 
internal and external identity providers, service providers, and embedded service providers (ESPs). 
Access Manager now provides a simpler means of creating the SAML 2.0 federation for single sign- 
on by providing connectors for specific applications. When you use the connectors, Access Manager 
automatically creates an appmark for the web service or application and places the appmark on the 
User Portal page for users to access. You can limit access to the SAML 2.0 web service or application 
by using role assignments configured on the Applications page. You can limit visibility of the SAML 
2.0 appmarks on the User Portal page by using role assignments configured on the appmarks. 
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AccessManager allows you to convert the existing SAML 2.0 service providers to applications that 
you can manage from the Applications page. The main benefit of conversion is to add the ability to 
configure access control to the application using roles.For more information, see Section 4.3, 
“Converting SAML 2.0 Service Providers in the Applications Page,” on page 22. 


Access Manager provides a set of connector for SAML 2.0 applications that you can import from the 
Applications Connector Catalog or you can import from a file you save from the Applications 
Connector Catalog. You must import and configure the connector for the appropriate applications in 
your environment. Use the appropriate connector-specific chapters to configure the SAML 2.0 
connector. For more information, see: 


+ 


+ 


+ 


Chapter 5, “Configuring the Application for Accellion,” on page 23 
Chapter 6, “Configuring the Connector for Access Manager,” on page 27 
Chapter 7, “Configuring the Application for Amazon AWS,” on page 31 
Chapter 8, “Configuring the Application for Google Apps,” on page 35 
Chapter 9, “Configuring the Application for Salesforce,” on page 39 
Chapter 10, “Configuring the Application for ServiceNow,” on page 45 
Chapter 11, “Configuring the Application for Zoho Apps,” on page 49 
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Using the Application Connector 
Catalog 


Access Manager provides an Application Connector Catalog for you to see all of the available 
application connectors that Access Manager supports for single sign-on. We update the Application 
Connector Catalog as soon as there is a new application connector available. 


There are two ways to access Application Connector Catalog: 


¢ Section 2.1, “Accessing Connectors through Administration Console,” on page 15 


¢ Section 2.2, “Accessing and Using the Application Connector Catalog through the Website,” on 
page 15 


Accessing Connectors through Administration 
Console 


Importing and configuring a connector is part of the process of creating appmarks for the applications. 
You must import the connector from the Application Connector Catalog into Administration Console 
before you can configure the connector and create an appmark. 


The Application Connector Catalog displays all available connectors. The catalog can display the 
connectors by name or by connector type. The two currently available connector types are Basic 
SSO and SAML. 


To access the Application Connector Catalog through Administration Console: 


Log in to Administration Console Dashboard, then click Administration Tasks > Applications. 
Click + (plus sign), then click Add Application from Catalog. 


Browse or search through the catalog, then select the appropriate connector. 


bh OO N PF 


Configure the connector. 


For information about the Basic Single Sign-On applications, see Chapter 3, “Configuring 
Applications for Basic Single Sign-On,” on page 17. For information about the other connector 
types, see the application-specific chapter in this guide. 


Accessing and Using the Application Connector 
Catalog through the Website 


Depending on your firewall configuration, you might not be able to access the Application Connector 
Catalog directly through Administration Console. If you cannot access the Application Connector 
Catalog through Administration Console, you can download connectors from another computer and 
the copy those files to a computer that Administration Console can access. 


Accessing and using the website for the Application Connector Catalog: 


1 Access the website for the Application Connector Catalog at https://catalog.netig.com. 


2 Browse through the catalog, then select the appropriate connector. 


Using the Application Connector Catalog 15 


Click the desired application connector, then save the application connector. 
Copy the application connector to a computer that Administration Console can access. 
Log in to Administration Console, then click Applications. 


Click + (plus sign), then click Import from File. 


N OO Of fF W 


Configure the connector. 


For information about the Basic Single Sign-On applications, see Chapter 3, “Configuring 
Applications for Basic Single Sign-On,” on page 17. For information about the other connector 
types, see the application-specific section in this guide. 


16 Using the Application Connector Catalog 


3.1 


Configuring Applications for Basic 
Single Sign-On 


Access Manager provides a way to securely provide single sign-on to applications for the users. 
Access Manager provides Basic Single Sign-On (SSO) connectors that are customized for each 
application to meet the interactive and content requirements for logging in to the application. The 
Basic SSO connectors work with Basic SSO extensions for browsers to securely collect, store, 
retrieve, and replay the users’ authentication information for the application you select. For more 
information, see Section 1.1, “Understanding Basic Single Sign-On,” on page 9. 


Access Manager provides many connectors for Basic SSO that you can import from the Application 
Connector Catalog. You can access the Application Connector Catalog through Administration 
Console, but Administration Console must have access to the internet for the Application Connector 
Catalog to work. Ensure that you have port 80 open on your firewall for communication to the 
Application Connector Catalog for the latest connectors. You can also access the Application 
Connector Catalog without Administration Console. To see the list of current connectors, access this 
website (http://catalog.netig.com/). For more information, see Section 2.2, “Accessing and Using the 
Application Connector Catalog through the Website,” on page 15. 


IMPORTANT: Please contact NetIQ Technical Support (https://www.netiq.com/support/) if a 
connector for Basic SSO is not yet available for the application that your users access. This helps us 
to define requirements and set priorities for future connectors for Basic SSO. 


Use the information in the following sections to configure a connector for Basic SSO. 
¢ Section 3.1, “Requirements for Using Basic SSO Connectors,” on page 17 


¢ Section 3.2, “Configuring a Connector for Basic SSO,” on page 18 


¢ Section 3.3, “Understanding the Configuration Options for the Connectors for Basic SSO,” on 
page 19 


¢ Section 3.4, “Managing Icons,” on page 20 


¢ Section 3.5, “Troubleshooting Basic Single Sign-On,” on page 20 


Requirements for Using Basic SSO Connectors 


To use the connectors for Basic SSO, you must ensure that you meet the following requirements: 
O Connectors for Basic SSO work with applications that require forms-based authentication for 
login. Typically, they have the following login requirements: 


© The application’s login page uses HTML Forms as the main point of interaction with the 
user. 


O The application requires the user’s password to be sent for logging in to the application. 


O The application does not support using SAML 2.0 or WS-Federation protocols for federated 
trust relationships instead of sending passwords. 


O The login page scheme must HTTPS not HTTP. 


Configuring Applications for Basic Single Sign-On 17 


18 


3.2 


O The connectors for Basic SSO support user access to the application only through Chrome, 


Internet Explorer, and Firefox web browsers running on a desktop or laptop computer. The 
browsers work with the Basic SSO extension to securely collect, store, retrieve, and replay 
users’ credentials for the applications. 


The connectors for Basic SSO support the following browser versions: 
+ Chrome 
¢ Firefox 34 or later 
+ Internet Explorer 11 


The MobileAccess app supports the secure retrieval and replay of previously stored credentials 
for applications that users access through the User Portal page on supported mobile devices. 


For user access to the applications on supported mobile devices, the MobileAccess app 
supports only the following versions: 


+ iOS 9.x 
+ Android Kit Kat 4.4 or Lollipop 5.x 


A user must install the Basic SSO extension in a supported browser one time on each desktop or 
laptop they use to access the Basic SSO applications. 


For Chrome, the extension is available for free from the Google Play Store. If it is not installed 
when the user accesses the application through Access Manager, Access Manager prompts the 
user to go to the Google Play Store and install it. The installation adds the extension to the 
Chrome Extensions list, with the following permissions: 


+ Access your data on all websites 
+ Access your tabs and browsing activity 


For Firefox, the extension is available through Add-ons. The Firefox extension behaves the 
same way the Chrome extension behaves. 


For Internet Explorer, Access Manager prompts the user to install the Basic SSO extension, 
when the user accesses the application through Access Manager. 


Basic SSO is not supported in a mixed Access Manager environment. All components of Access 
Manager, the IDP clusters, Access Gateway clusters, and the Administration Console must be at 
version 4.3 or later for Basic SSO to work. 


Configuring a Connector for Basic SSO 


The Application Connector Catalog contains all of the available Basic SSO connectors. You can 
import and configure as many of the connectors for Basic SSO as you need in Access Manager. 


IMPORTANT: You can import and configure as many of the connectors for Basic SSO as you need. 
However, users only can store up to 20 saved credentials. For example, you might import and 
configure 75 connectors for Basic SSO. A user could only use and save credentials for 20 of the 75 
connectors for Basic SSO. 


The steps to configure the connectors for Basic SSO are the same for each connector provided in the 
Application Connector Catalog. 


To configure a connector for Basic SSO: 


1 Log in to Administration Console. 


2 Click Applications. 
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3 Import a connector for Basic SSO from the Application Connector Catalog. 
For more information, see Chapter 2, “Using the Application Connector Catalog,” on page 15. 
4 Configure the connector for Basic SSO using the prompts. 


For more information, see Section 3.3, “Understanding the Configuration Options for the 
Connectors for Basic SSO,” on page 19. 


5 Click Save. 


The Applications page displays the new connector for Basic SSO. The creation process of the 
connector for Basic SSO creates an appmark for the connector so that users can access it through 
the User Portal page. You must ensure that you have configured MobileAccess for the users to 
access and use the connectors you have added. For more information, see “Enabling Mobile and 
Web Access” in the NetIQ Access Manager 4.3 Administration Guide. 


Understanding the Configuration Options for the 
Connectors for Basic SSO 


You configure the connectors for Basic SSO in Administration Console under Applications. On each 
connector you import and configure, there is a menu on the upper right corner that allows to you to 
delete the connector. Clicking the plus sign (+) at the top of the page, allows you to import and 
configure a new connector. When you import a connector for Basic SSO the following options are 
available. 


Table 3-1 Connectors for Basic SSO Options 


Options Description 


Name Specify a unique name for the connector for Basic SSO. Access Manager does 
not allow you to have two connectors with the same name. 


Description (Optional) Specify a description on the connector for Basic SSO. You can 
import and configure multiple connectors for the same application. You could 
have two connectors for Google so ensure to use a unique name and a 
description to help determine the differences between the connectors. 


Change Image (Optional) Change the default image that the User Portal page displays to the 
users. Each connector for Basic SSO contains a default image. You can 
change that image to any image you want. The maximum image size is 200 x 
200 pixels and the ideal image size is 100 x 100 pixels. You can use an image 
from the Image Gallery or upload your own image. 


Roles (Optional) Select the appropriate role from the list to determine which users 
see the appmarks for the connectors for Basic SSO on the User Portal page. If 
you do not assign a role, all users will see the appmark for the application on 
the User Portal page. 


All appmarks for the connectors for Basic SSO have a public endpoint to 
Identity Server (IdP). This means that even if a user is not a member of a role, 
and logs in to the User Portal page, plus they know the exact URL that is part 
of the appmark, the Basic SSO process starts. For more information about the 
Basic SSO process, see Section 1.1, “Understanding Basic Single Sign-On,” 
on page 9. 


URL Specify the URL that the users access when they click the appmark for the 
applications on the login page. 
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3.4 


3.5 


Options Description 


Enable Select the user platforms where the appmark will be visible. The platforms are 


Desktop, iOS, and Android. 


Optional Configuration Specify a different image and URL for the desktop browsers, iOS devices, and 
Values Android devices. 
Login Form Data Verify that the information displayed is correct for the application. When you 


import the connectors, it populates these fields for you. 


Managing Icons 


Access Manager provides a set of default images you can use when creating an appmark. You can 
also upload your own images. The maximum image size is 200 x 200 pixels and the ideal image size 
is 100 x 100 pixels. 


You can delete and edit any images you upload. You are not allowed to delete or edit any of the 
images that come with Access Manager. You edit or delete the images when you are creating or 
editing appmarks. 


Troubleshooting Basic Single Sign-On 


Use the following information to help troubleshoot issues with Basic SSO. 


¢ Basic SSO can only work with one instance of Access Manager. If you have two instances of 


Access Manager and the user has an account for both system, when they try to log in to Basic 
SSO applications, they will have issues. Basic SSO uses sessions for save and replaying the 
users’ credentials. Have multiple sessions open in the same browser will cause problems. 


The Basic SSO plugin for Internet Explorer 11 does not detect if you have a prior version of the 
plugin installed. Ensure that you do not already have the Basic SSO plugin installed before 
installing the plugin. You must uninstall a previous version of the plugin from Windows Control 
Panel, not from the browser Manage Add-ons window. Whereas previous versions of the plugin 
were named Basic SSO, the current version of the plugin is named Single Sign-On Assistant. 
Currently, there is no upgrade path from prior versions of the plugin. 


The Basic SSO plugin for Internet Explorer 11 does not support authentication to multiple 
instances of the browser. An cookie mismatch error occurs followed by a forced logout. 
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4.1 


4.2 


Understanding Global Settings for SAML 
2.0 Applications 


Access Manager provides a number of SAML 2.0 connectors for you to use to create secure, 
federated connections to applications. You manage these connectors through the Applications page 
in the Administration Console Dashboard under Administration Tasks. 


In prior releases of Access Manager, to create a federated connection to applications or web 
services, you would create a SAML 2.0 service provider. For more information, see “Configuring 
SAML 2.0” in the NetIQ Access Manager 4.3 Administration Guide. The new SAML 2.0 connectors 
simplify the configuration process of establishing a federated connection between applications or web 
services and Access Manager. 


When you import and configure a SAML 2.0 connector, Access Manager automatically creates an 
appmark for the connector. The role assignments when you configure the connector allow access to 
the applications and the role assignment on the appmarks determines whether users see the 
appmark on the User Portal or in the MobileAccess app. 


¢ Section 4.1, “Global Requirements for SAML 2.0 Connectors,” on page 21 


¢ Section 4.2, “Managing SAML 2.0 Applications,” on page 21 
¢ Section 4.3, “Converting SAML 2.0 Service Providers in the Applications Page,” on page 22 


Global Requirements for SAML 2.0 Connectors 


All of the SAML 2.0 connectors have unique requirements. However, some of the requirements are 
the same no matter which SAML 2.0 connector you use. Ensure that you meet the following global 
requirements before configuring a SAML 2.0 connector. 


O SAML 2.0 connectors are not supported in a mixed Access Manager environment. All 
components of Access Manager, the IDP clusters, Access Gateway clusters, and the 
Administration Console must be at version 4.3 or later for the SAML 2.0 connectors to work. 


O An understanding of identity federation using the SAML 2.0 protocol. For more information, see 
Section 1.2.1, “Understanding SAML 2.0,” on page 11. 


Managing SAML 2.0 Applications 


On each connector you import and configure, there is an ellipses menu on the upper right corner that 
allows to you to delete the connector. Clicking the plus sign (+) at the top of the page allows you to 
import and configure a new connector. 


You can fill out part of the configuration information on a SAML 2.0 connector and save the 
configuration to finish configuring the SAML 2.0 connector at a later time. Any SAML 2.0 connectors 
that are in progress appear at the top of the list of connectors on the left side of the Applications page 
under the heading of Application needs more information. The ellipses menu does not appear on the 
connector until you complete the configuration of the connector. 
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Any section of the SAML 2.0 connector that still requires information, appears with a red warning 
symbol to let you know you must add more information to make the connector function. Until the 
configuration is complete, Access Manager does not create the appmark for the connector. 


4.3 Converting SAML 2.0 Service Providers in the 
Applications Page 


In prior releases, Access Manager allowed you to configure federated authentication using SAML 2.0 
to internal and external identity providers, service providers, and embedded service providers 
(ESPs). For more information, about the prior configuration for service providers, see “Configuring 
SAML 2.0” in the NetIQ Access Manager 4.3 Administration Guide. This release of Access Manager 
provides a way for you to convert the previously configured SAML 2.0 service providers to become a 
SAML 2.0 application managed through the Applications page. 


Converting the service providers gives you the following benefits: 


+ Adds the ability to configure access control to the application using roles. 
+ Automatically creates an appmark for the application. 
If you had created appmarks for the SAML 2.0 service provide, nothing happens to those appmarks. 


The conversion process only adds a new appmark for the SAML 2.0 application, if you select to 
create a new appmark. 


After you have upgraded to Access Manager 4.3 the new Applications page displays any service 
providers you have created in the past. Access Manager does not convert the service provider until 
you click on it and save the new configuration options. 


To convert a service provider to an application: 


1 Log in to Administration Console as an administrator. 
2 In Administration Console Dashboard, click Administration Tasks > Applications. 
3 Find the service provider you want to convert in the list of applications on the left. 


If the service provider is not converted, then there is no menu in the upper right corner of the tile 
and the image is a default SAML image for all SAML 2.0 service providers. 


4 Click the SAML service provider you want to convert. 


5 Review all of the available options to ensure they are correct. 


NOTE: If you have existing appmarks, Access Manager populates the Roles field with the roles 
assignments from the existing appmarks. The roles assignments here grant the users 
accessibility to applications. The role assignments on the appmark grants visibility to appmarks 
for the users. 


6 Click Save to convert the SAML 2.0 service provider to be a SAML 2.0 application. 
7 Click Yes to create a new appmark for this SAML 2.0 application. 

or 

Click No if you do not want a new appmark created for this SAML 2.0 application. 


8 Click the Configuration Panel, then perform an Update All to have the changes take effect. 


After you have converted a SAML 2.0 service provider to be a SAML 2.0 application, the Advanced 
Setup links appear in each configuration section. You can use these links to view or edit additional 
settings not displayed in the Applications page of converted applications. 
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5.1 


5.2 


Configuring the Application for 
Accellion 


Access Manager provides a connector for Accellion that allows you to create a federated connection 
between Access Manager and Accellion. The federated connection uses SAML 2.0 to help you create 
a single sign-on experience for your users. 


The connector for Accellion simplifies the configuration process to establish a federated connection 
between Accellion and Access Manager. When you import and configure the connector, Access 
Manager automatically creates an appmark for the users to use in MobileAccess. 


Requirements for the Connector for Accellion 


To use the connector for Accellion, you must meet the following requirements: 
© Ensure you have meet the global requirements for SAML 2.0 connectors. For more information, 
see Section 4.1, “Global Requirements for SAML 2.0 Connectors,” on page 21. 
O AnAccellion administrator account. 
O The Accellion domain name for your company. 
O The connector for Accellion does not provision user account. You must create user accounts in 


Accellion that match the user account in the identity store for single sign-on to function. 


To configure a federated connection between Access Manager and Accellion, you must use the 
federation instructions you obtain when you configure the connector. The federation instructions 
contain metadata specific to Access Manager, certificates, and any other information you need to 
properly configure the federated connection. 


Configuring the Connector for Accellion 


The connector for Accellion creates a SAML 2.0 connection between Access Manager and Accellion. 
The connector helps you create a federated connection between Access Manager and Accellion so 
when your users log in to the User Portal page, they only have to authenticate once. For more 
information, see Section 1.2, “Understanding Federated Single Sign-On with SAML 2.0,” on page 11. 


To configure the connector for Accellion: 


1 Log in to Administration Console as an administrator. 
2 Inthe Dashboard, under Administrative Tasks, click Applications. 


3 (Conditional) Select the appropriate IDP cluster to use application. If you only have one IDP 
cluster, there is nothing to select. 


4 Click the plus sign + to import the SAML 2.0 connector for Accellion. 
4a Click Add Application from Catalog, then search for the SAML 2.0 connector for Accellion. 
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For more information, see Chapter 2, “Using the Application Connector Catalog,” on 
page 15. 


or 
4b Click Import Application from File, then browse to and select the file. 
5 Configure the connector for Accellion following the prompts. 


For more information, see Section 5.3, “Understanding the Configuration Options for the 
Connector for Accellion,” on page 24. 


6 Click Save. 


5.3 Understanding the Configuration Options for the 
Connector for Accellion 


The Applications page populates a number of fields for you. It is able to use information in your 
environment to help populate the metadata and other fields. The information in the federation 
instructions is specific to your environment. 


Table 5-1 Connector for Accellion Configuration Options 


Options Description 
Name Specify a name for the connector for Accellion. 
Description (Optional) Specify a description on the connector for Accellion. You could 


have two connectors for Accellion so ensure to use a unique name and a 
description to help determine the differences between the connectors. 


Change Image (Optional) Change the default image that the User Portal page displays to 
the users. Each connector contains a default image. You can change that 
image to any image you want. The maximum image size is 200 x 200 pixels 
and the ideal image size is 100 x 100 pixels. You can use an image from the 
Image Gallery or upload your own image. 


Application Connector Setup This section displays the metadata information Access Manager requires 
from Accellion to create the federated connection. 


NOTE: The Advanced Setup does not appear until you save the connector. 


Application Connector Setup > Specify the Accellion domain name that is the custom part of your Accellion 

Domain name domain. It appears when you login to your site administration as 
customerdomain. For example, https: // 
CUSTOMERDOMAIN.accellion.net/courier/Application ID. 


Application Connector Setup > Displays the metadata for the connector. You can view or download the 

Metadata metadata. If you have not saved the connector, the system creates the 
SAML 2.0 metadata using the values provided and other values from the 
connector. 
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Options 


Application Connector Setup > 
Signing Certificate 


Attributes 


Attributes > Subject/NamelD 


Access and Roles 


Access and Roles > Roles 


Access and Roles > Contracts 


System Setup 


System Setup > Metadata 


System Setup > Signing 
Certificate 


System Setup > Federation 
Instructions 


Description 


Uploads a signing certificate file to secure communication between Access 
Manager and Accellion. Or it displays the content of the signing certificate if 
you have saved the connector. 


The system automatically adds this new certificate to the trust store for 
Administration Console. However, this new certificate is not automatically 
added to the trust store for the IDP cluster. 


IMPORTANT: You must manually add this signing certificate to the IDP 
Cluster trust store or the health of the IDP cluster turns yellow and users do 
not see this new appmark when they log in to the User Portal page. For 
more information, see “Managing Certificates and Keystores” in the NetIQ 
Access Manager 4.3 Administration Guide. 


Allows you to see and manage the attributes that are part of the SAML 2.0 
assertion. 


NOTE: The Advanced Setup does not appear until you save the connector. 


Select the appropriate attribute from Accellion for the ID of the users. 
Typically, the users’ email address. 


Allows you to control who has access to the application. 


NOTE: The Advanced Setup does not appear until you save the connector. 


Select the role assignments to determine the user accessibility of this 
application. The Role assignments made in the Appmark editor determine 
the user visibility of the appmarks associated with this application not the 
accessibility of the application. 


Select the contracts presented to users when they click the appmark. The 
users see these contract unless the contract is satisfied during login or 
through the authentication levels. 


Displays the metadata information from Access Manager to use in Accellion 
to create the federated connection. 


You can view or download the metadata information from Access Manager 
to create the federated connection. 


You can view or download the signing certificate from Access Manager to 
create the federated connection. 


Contains the federation instructions on what you must change or modify in 
Accellion to create the federated connection. Follow the federated 
instructions. 
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6.1 


6.2 


Configuring the Connector for Access 
Manager 


Access Manager provides a connector for Access Manager that allows you to create a federated 
connection between two different Access Manager systems. The federated connection uses SAML 
2.0 to help you create a single sign-on experience for your users. 


The connector for Access Manager simplifies the configuration process to establish a federated 
connection between two different Access Manager systems. When you import and configure the 
connector, Access Manager automatically creates an appmark for the users to use in MobileAccess. 


Requirements for the Connector for Access 
Manager 


To use the connector for Access Manager, you must meet the following requirements: 


O Ensure you have meet the global requirements for SAML 2.0 connectors. For more information, 
see Section 4.1, “Global Requirements for SAML 2.0 Connectors,” on page 21. 


© An administrator account for the connected Access Manager system. 


Q 


The metadata file from the connected Access Manager system. 


O The connector for Access Manager does not provision user account. You must create user 
accounts the connector Access Manager identity store that match the user account in the identity 
store for single sign-on to function. 


To configure a federated connection between the two Access Manager systems, you must use the 
federation instructions you obtain when you configure the connector. The federation instructions 
contain metadata specific to your current Access Manager system, certificates, and any other 
information you need to properly configure the federated connection. 


Configuring the Connector for Access Manager 


The connector for Access Manager creates a SAML 2.0 connection between two Access Manager 
systems. The connector helps you create a federated connection between two Access Manager 
systems so when your users log in to the User Portal page, they only have to authenticate once. For 
more information, see Section 1.2, “Understanding Federated Single Sign-On with SAML 2.0,” on 
page 11. 


To configure the connector for Access Manager: 


1 Log in to Administration Console as an administrator. 
2 Inthe Dashboard, under Administrative Tasks, click Applications. 


3 (Conditional) Select the appropriate IDP cluster to use application. If you only have one IDP 
cluster, there is nothing to select. 
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6.3 


4 Click the plus sign + to import the SAML 2.0 connector for Access Manager. 


4a Click Add Application from Catalog, then search for the SAML 2.0 connector for Access 


Manager. 


For more information, see Chapter 2, “Using the Application Connector Catalog,” on 


page 15. 
or 


4b Click Import Application from File, then browse to and select the file. 


5 Configure the connector for Access Manager following the prompts. 


For more information, see Section 6.3, “Understanding the Configuration Options for the 
Connector for Access Manager,” on page 28. 


6 Click Save. 


Understanding the Configuration Options for the 
Connector for Access Manager 


The Applications page populates a number of fields for you. It is able to use information in your 
environment to help populate the metadata and other fields. The information in the Federation 
Instructions is specific to your environment. 


Table 6-1 Connector for Access Manager Configuration Options 


Options 
Name 


Description 


Change Image 


Application Connector Setup 


Application Connector Setup > 
Assertion consumer service 
URL 


Application Connector Setup > 
Destination URL 


Application Connector Setup > 
EntityID 


Description 


Specify a name for the connector for Access Manager. 


(Optional) Specify a description on the connector for Access Manager. You 
could have two connectors for Access Manager so ensure to use a unique 
name and a description to help determine the differences between the 
connectors. 


(Optional) Change the default image that the User Portal page displays to 
the users. Each connector contains a default image. You can change that 
image to any image you want. The maximum image size is 200 x 200 pixels 
and the ideal image size is 100 x 100 pixels. You can use an image from the 
Image Gallery or upload your own image. 


This section displays the metadata information Access Manager requires 
from the connected Access Manager system to create the federated 
connection. 


NOTE: The Advanced Setup does not appear until you save the connector. 


Specify the information found in the AssertionConsumerService Location 
field with the HTTP-POST binding from the connected Access Manager 
system metadata file. 


(Optional) Specify the URL where users go after the initial login. 


Specify the information found in the Entity!D field from the connected 
Access Manager system metadata file. 
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Options 


Application Connector Setup > 
Logout response URL 


Application Connector Setup > 
Logout URL 


Application Connector Setup > 
Metadata 


Application Connector Setup > 
Signing Certificate 


Attributes 


Attributes > NamelD 


Access and Roles 


Access and Roles > Roles 


Access and Roles > Contracts 


System Setup 


System Setup > Metadata 


System Setup > Signing 
Certificate 


System Setup > Federation 
Instructions 


Description 


Specify the information found in the SPSSODescriptor element, use the 
value from the SingleLogoutService ResponseLocation field with the 
HTTP-POST binding from the connected Access Manager system metadata 
file. 


Specify the information found in the SPSSODescriptor element, use the 
value from the SingleLogoutService Location field with the HTTP-POST 
binding from the connected Access Manager system metadata file. 


Displays the metadata for the connector. You can view or download the 
metadata. If you have not saved the connector, the system creates the 
SAML 2.0 metadata using the values provided and other values from the 
connector. 


Uploads a signing certificate file to secure communication between the two 
Access Manager systems. Or it displays the content of the signing certificate 
if you have saved the connector. 


The system automatically adds this new certificate to the trust store for 
Administration Console. However, this new certificate is not automatically 
added to the trust store for the IDP cluster. 


IMPORTANT: You must manually add this signing certificate to the IDP 
Cluster trust store or the health of the IDP cluster turns yellow and users do 
not see this new appmark when they log in to the User Portal page. For 
more information, see “Managing Certificates and Keystores” in the NetIQ 
Access Manager 4.3 Administration Guide. 


Allows you to see and manage the attributes that are part of the SAML 2.0 
assertion. 


NOTE: The Advanced Setup does not appear until you save the connector. 


Specify an LDAP attribute that contains the user name identifier in the 
connected Access Manager system. 


Allows you to control who has access to the application. 
NOTE: The Advanced Setup does not appear until you save the connector. 


Select the role assignments to determine the user accessibility of this 
application. The Role assignments made in the Appmark editor determine 
the user visibility of the appmarks associated with this application not the 
accessibility of the application. 


Select the contracts presented to users when they click the appmark. The 
users see these contract unless the contract is satisfied during login or 
through the authentication levels. 


Displays the metadata information from Access Manager to use in the 
connected Access Manager system to create the federated connection. 


You can view or download the metadata information from Access Manager 
to create the federated connection. 


You can view or download the signing certificate from Access Manager to 
create the federated connection. 


Contains the federation instructions on what you must change or modify in 
Access Manager to create the federated connection. Follow the federated 
instructions. 
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1.1 


1.2 


Configuring the Application for Amazon 
AWS 


Access Manager provides a connector for Amazon AWS that allows you to create a federated 
connection between Access Manager and Amazon AWS. The federated connection uses SAML 2.0 
to help you create a single sign-on experience for your users. 


The connector for Amazon AWS simplifies the configuration process to establish a federated 
connection between Amazon AWS and Access Manager. When you import and configure the 
connector, Access Manager automatically creates an appmark for the users to use in MobileAccess. 


Requirements for the Connector for Amazon AWS 


To use the connector for Amazon AWS, you must meet the following requirements: 
O Ensure you have meet the global requirements for SAML 2.0 connectors. For more information, 
see Section 4.1, “Global Requirements for SAML 2.0 Connectors,” on page 21. 
O An Amazon AWS administrator account. 


©) Read through and understand the single sign-on documentation from Amazon for single sign-on 
to the AWS Directory Service. For more information, see AWS Directory Service Single Sign-On. 


O The Amazon AWS attributes for Role and Role Session Name. 


© The connector for Amazon AWS does not provision user account. You must create user 
accounts in Amazon AWS that match the user account in the identity store for single sign-on to 
function. 


To configure a federated connection between Access Manager and Amazon AWS, you must use the 
federation instructions you obtain when you configure the connector. The federation instructions 
contain metadata specific to Access Manager, certificates, and any other information you need to 
properly configure the federated connection. 


Configuring the Connector for Amazon AWS 


The connector for Amazon AWS creates a SAML 2.0 connection between Access Manager and 
Amazon AWS. The connector helps you create a federated connection between Access Manager 
and Amazon AWS so when your users log in to the User Portal page, they only have to authenticate 
once. For more information, see Section 1.2, “Understanding Federated Single Sign-On with SAML 
2.0,” on page 11. 


To configure the connector for Amazon AWS: 


1 Log in to Administration Console as an administrator. 
2 Inthe Dashboard, under Administrative Tasks, click Applications. 


3 (Conditional) Select the appropriate IDP cluster to use application. If you only have one IDP 
cluster, there is nothing to select. 
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7.3 


4 Click the plus sign + to import the SAML 2.0 connector for Amazon AWS. 


4a Click Add Application from Catalog, then search for the SAML 2.0 connector for Amazon 


AWS. 


For more information, see Chapter 2, “Using the Application Connector Catalog,” on 


page 15. 
or 


4b Click Import Application from File, then browse to and select the file. 


5 Configure the connector for Amazon AWS following the prompts. 


For more information, see Section 7.3, “Understanding the Configuration Options for the 
Connector for Amazon AWS,” on page 32. 


6 Click Save. 


Understanding the Configuration Options for the 
Connector for Amazon AWS 


The Applications page populates a number of fields for you. It is able to use information in your 
environment to help populate the metadata and other fields. The information in the Federation 
Instructions is specific to your environment. 


Table 7-1 Connector for Amazon AWS Configuration Options 


Options 
Name 


Description 


Change Image 


Application Connector Setup 


Application Connector Setup > 
Metadata 


Description 


Specify a name for the connector for Amazon AWS. 


(Optional) Specify a description on the connector for Amazon AWS. You 
could have two connectors for Amazon AWS so ensure to use a unique 
name and a description to help determine the differences between the 
connectors. 


(Optional) Change the default image that the User Portal page displays to 
the users. Each connector contains a default image. You can change that 
image to any image you want. The maximum image size is 200 x 200 pixels 
and the ideal image size is 100 x 100 pixels. You can use an image from the 
Image Gallery or upload your own image. 


This section displays the metadata information Access Manager requires 
from Amazon AWS to create the federated connection. 


NOTE: The Advanced Setup does not appear until you save the connector. 


Displays the metadata for the connector. You can view or download the 
metadata. If you have not saved the connector, the system creates the 
SAML 2.0 metadata using the values provided and other values from the 
connector. 
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Options 


Application Connector Setup > 
Signing Certificate 


Attributes 


Attributes > https:// 
aws.amazon.com/SAMLI 
Attributes/Role 


Attribute > https:// 
aws.amazon.com/SAMLI 
Attributes/RoleSessionName 


Access and Roles 


Access and Roles > Roles 


Access and Roles > Contracts 


System Setup 


System Setup > Metadata 


System Setup > Signing 
Certificate 


System Setup > Federation 
Instructions 


Description 


Uploads a signing certificate file to secure communication between Access 
Manager and Amazon AWS. Or it displays the content of the signing 
certificate if you have saved the connector. 


The system automatically adds this new certificate to the trust store for 
Administration Console. However, this new certificate is not automatically 
added to the trust store for the IDP cluster. 


IMPORTANT: You must manually add this signing certificate to the IDP 
Cluster trust store or the health of the IDP cluster turns yellow and users do 
not see this new appmark when they log in to the User Portal page. For 
more information, see “Managing Certificates and Keystores” in the NetIQ 
Access Manager 4.3 Administration Guide. 


Allows you to see and manage the attributes that are part of the SAML 2.0 
assertion. 


NOTE: The Advanced Setup does not appear until you save the connector. 


Select a virtual attribute based on the role name and some additional static 
values to define the Roles in the Amazon AWS system. For more details, 
see the federation instructions. 


Select an attribute that contains a display name for the user in the Amazon 
AWS system. This attribute cannot contains spaces. 


Allows you to control who has access to the application. 


NOTE: The Advanced Setup does not appear until you save the connector. 


Select the role assignments to determine the user accessibility of this 
application. The Role assignments made in the Appmark editor determine 
the user visibility of the appmarks associated with this application not the 
accessibility of the application. 


Select the contracts presented to users when they click the appmark. The 
users see these contract unless the contract is satisfied during login or 
through the authentication levels. 


Displays the metadata information from Access Manager to use in Amazon 
AWS to create the federated connection. 


You can view or download the metadata information from Access Manager 
to create the federated connection. 


You can view or download the signing certificate from Access Manager to 
create the federated connection. 


Contains the federation instructions on what you must change or modify in 
Amazon AWS to create the federated connection. Follow the federated 
instructions. 
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8.1 


8.2 


Configuring the Application for Google 
Apps 


Access Manager provides a connector for Google Apps that allows you to create a federated 
connection between Access Manager and Google Apps. The federated connection uses SAML 2.0 to 
help you create a single sign-on experience for your users. 


The connector for Google Apps simplifies the configuration process to establish a federated 
connection between Google Apps and Access Manager. When you import and configure the 
connector, Access Manager automatically creates an appmark for the users to use in MobileAccess. 


¢ Section 8.1, “Requirements for the Connector for Google Apps,” on page 35 
¢ Section 8.2, “Configuring the Connector for Google Apps,” on page 35 


¢ Section 8.3, “Understanding the Configuration Options for the Connector for Google Apps,” on 
page 36 


Requirements for the Connector for Google Apps 


To use the connector for Google Apps, you must meet the following requirements: 
O Ensure you have meet the global requirements for SAML 2.0 connectors. For more information, 
see Section 4.1, “Global Requirements for SAML 2.0 Connectors,” on page 21. 
O A Google Apps administrator account (does not end in @gmail.com). 


©) Read through and understand the single sign-on documentation from Google. For more 
information, see SAML-based Federated SSO. 


O The Google domain name for your company. 


O The connector for Google Apps does not provision user account. You must create user accounts 
in Google Apps that match the user account in the identity store for single sign-on to function. 


To configure a federated connection between Access Manager and Google Apps, you must use the 
federation instructions you obtain when you configure the connector. The federation instructions 
contain metadata specific to Access Manager, certificates, and any other information you need to 
properly configure the federated connection. 


Configuring the Connector for Google Apps 


The connector for Google Apps creates a SAML 2.0 connection between Access Manager and 
Google Apps. The connector helps you create a federated connection between Access Manager and 
Google Apps so when your users log in to the User Portal page, they only have to authenticate once. 
For more information, see Section 1.2, “Understanding Federated Single Sign-On with SAML 2.0,” on 
page 11. 


To configure the connector for Google Apps: 


1 Log in to Administration Console as an administrator. 
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8.3 


2 Inthe Dashboard, under Administrative Tasks, click Applications. 


3 (Conditional) Select the appropriate IDP cluster to use application. If you only have one IDP 
cluster, there is nothing to select. 


4 Click the plus sign + to import the SAML 2.0 connector for Google Apps. 


4a Click Add Application from Catalog, then search for the SAML 2.0 connector for Google 


Apps. 


For more information, see Chapter 2, “Using the Application Connector Catalog,” on 


page 15. 
or 


4b Click Import Application from File, then browse to and select the file. 


5 Configure the connector for Google Apps following the prompts. 


For more information, see Section 8.3, “Understanding the Configuration Options for the 
Connector for Google Apps,” on page 36. 


6 Click Save. 


Understanding the Configuration Options for the 
Connector for Google Apps 


The Applications page populates a number of fields for you. It is able to use information in your 
environment to help populate the metadata and other fields. The information in the Federation 
Instructions is specific to your environment. 


Table 8-1 Connector for Google Apps Configuration Options 


Options 
Name 


Description 


Change Image 


Application Connector Setup 


Application Connector Setup > 
Customer domain 


Application Connector Setup > 
Destination URL 


Description 


Specify a name for the connector for Google Apps. 


(Optional) Specify a description on the connector for Google Apps. You 
could have two connectors for Google Apps so ensure to use a unique 
name and a description to help determine the differences between the 
connectors. 


(Optional) Change the default image that the User Portal page displays to 
the users. Each connector contains a default image. You can change that 
image to any image you want. The maximum image size is 200 x 200 pixels 
and the ideal image size is 100 x 100 pixels. You can use an image from the 
Image Gallery or upload your own image. 


This section displays the metadata information Access Manager requires 
from Google Apps to create the federated connection. 


NOTE: The Advanced Setup does not appear until you save the connector. 


Specify the Google domain you provided when you set up your Google 
domain. 


(Optional) Specify the URL where users go after the initial login. 
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Options 


Application Connector Setup > 
Metadata 


Application Connector Setup > 
Signing Certificate 


Attributes 


Attributes > Subject/NamelD 


Access and Roles 


Access and Roles > Roles 


Access and Roles > Contracts 


System Setup 


System Setup > Metadata 


System Setup > Signing 
Certificate 


System Setup > Federation 
Instructions 


Description 


Displays the metadata for the connector. You can view or download the 
metadata. If you have not saved the connector, the system creates the 
SAML 2.0 metadata using the values provided and other values from the 
connector. 


Uploads a signing certificate file to secure communication between Access 
Manager and Google Apps. Or it displays the content of the signing 
certificate if you have saved the connector. 


The system automatically adds this new certificate to the trust store for 
Administration Console. However, this new certificate is not automatically 
added to the trust store for the IDP cluster. 


IMPORTANT: You must manually add this signing certificate to the IDP 
Cluster trust store or the health of the IDP cluster turns yellow and users do 
not see this new appmark when they log in to the User Portal page. For 
more information, see “Managing Certificates and Keystores” in the NetIQ 
Access Manager 4.3 Administration Guide. 


Allows you to see and manage the attributes that are part of the SAML 2.0 
assertion. 


NOTE: The Advanced Setup does not appear until you save the connector. 


Select the appropriate attribute from Google Apps for the ID of the users. 
Typically, the user’s email address is the user ID for Google Apps. 


Allows you to control who has access to the application. 


NOTE: The Advanced Setup does not appear until you save the connector. 


Select the role assignments to determine the user accessibility of this 
application. The Role assignments made in the Appmark editor determine 
the user visibility of the appmarks associated with this application not the 
accessibility of the application. 


Select the contracts presented to users when they click the appmark. The 
users see these contract unless the contract is satisfied during login or 
through the authentication levels. 


Displays the metadata information from Access Manager to use in Google 
Apps to create the federated connection. 


You can view or download the metadata information from Access Manager 
to create the federated connection. 


You can view or download the signing certificate from Access Manager to 
create the federated connection. 


Contains the federation instructions on what you must change or modify in 
Google Apps to create the federated connection. Follow the federated 
instructions. 
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9.1 


Configuring the Application for 
Salesforce 


Access Manager provides a connector for Salesforce that allows you to create a federated 
connection between Access Manager and Salesforce. The federated connection uses SAML 2.0 to 
help you create a single sign-on experience for your users. 


In prior releases of Access Manager, there were many detailed steps required to configure this type 
of connection to Salesforce. For more information, see “Integrating Salesforce With Access Manager 
By Using SAML 2.0” in the NetIQ Access Manager 4.3 Administration Guide. 


Use the following information to help you configure a SAML 2.0 federated connection between 
Salesforce and Access Manager. 

¢ Section 9.1, “Requirements for the Connector for Salesforce,” on page 39 

è Section 9.2, “Configuring the Connector for Salesforce,” on page 40 


¢ Section 9.3, “Understanding the Configuration Options for the Connector for Salesforce,” on 
page 40 


¢ Section 9.4, “Provisioning Users to Salesforce,” on page 42 


Requirements for the Connector for Salesforce 


To use the connector for Salesforce, you must meet the following requirements: 


O Ensure you have meet the global requirements for SAML 2.0 connectors. For more information, 
see Section 4.1, “Global Requirements for SAML 2.0 Connectors,” on page 21. 


© A full or developer type Salesforce account. 


© Read through and understand the single sign-on documentation from Salesforce. For more 
information, see Configuring SAML Settings for Single Sign-On. 


O The login URL from Salesforce.com. It is available in the downloaded metadata file as the 
Location value for AssertionConsumerService. 


O The connector for Salesforce does not provision user accounts. You must either manually create 
user accounts at Salesforce or use the Salesforce Just-In-Time provisioning feature. The 
Salesforce Just-in-Time provisioning feature requires additional configuration steps. For more 
information, see Section 9.4, “Provisioning Users to Salesforce,” on page 42. 


IMPORTANT: If you do not configure Salesforce for Just-in-Time provisioning, user accounts 
that match accounts in the identity store must already exist in Salesforce for single sign-on to 
function. 


To configure the required Single Sign-On settings at Salesforce, use the Federation Instructions 
available in the System Setup section when you configure or edit the connector for Salesforce. These 
Federation Instructions contain metadata specific to Access Manager including URLs, certificates, 
and other information you need to properly configure the Single Sign-On settings in Salesforce. 
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9.2 


9.3 


Configuring the Connector for Salesforce 


Ensure that you have meet all of the requirements before configuring the connector for Salesforce. 
For more information, see Section 9.1, “Requirements for the Connector for Salesforce,” on page 39. 


To configure the connector for Salesforce: 


1 Log in to Administration Console as an administrator. 
2 Inthe Dashboard, under Administrative Tasks, click Applications. 


3 (Conditional) Select the appropriate IDP cluster to use application. If you only have one IDP 
cluster, there is nothing to select. 


4 Click the plus sign + to import the SAML 2.0 connector for Salesforce. 


4a Click Add Application from Catalog, then search for the SAML 2.0 connector for 
Salesforce. 


For more information, see Chapter 2, “Using the Application Connector Catalog,” on 
page 15. 


or 
4b Click Import Application from File, then browse to and select the file. 
5 Configure the connector for Salesforce following the prompts. 


For more information, see Section 9.3, “Understanding the Configuration Options for the 
Connector for Salesforce,” on page 40. 


6 Click Save. 


7 Click the Configuration Panel, then perform an Update All to have the changes take effect. 


Understanding the Configuration Options for the 
Connector for Salesforce 


The Applications page populates a number of fields for you. It is able to use information in your 
environment to help populate the metadata and other fields. The information in the Federation 
Instructions is specific to your environment. 


Table 9-1 Connector for Salesforce Configuration Options 


Options Description 
Name Specify a name for the connector for Salesforce. 
Description (Optional) Specify a description on the connector for Salesforce. You could 


have two connectors for Salesforce so ensure to use a unique name and a 
description to help determine the differences between the connectors. 


Change Image (Optional) Change the default image that the User Portal page displays to 
the users. Each connector contains a default image. You can change that 
image to any image you want. The maximum image size is 200 x 200 pixels 
and the ideal image size is 100 x 100 pixels. You can use an image from the 
Image Gallery or upload your own image. 


Application Connector Setup This section displays the metadata information Access Manager requires 
from Salesforce to create the federated connection. 


NOTE: The Advanced Setup does not appear until you save the connector. 
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Options 


Application Connector Setup > 
Login URL 


Application Connector Setup > 
Metadata 


Application Connector Setup > 
Signing Certificate 


Attributes 


Attributes > Subject/NamelD 


Attributes > Additional 
mappings 


Access and Roles 


Roles 


Contracts 


System Setup 


System Setup > Metadata 


System Setup > Signing 
Certificate 


System Setup > Federation 
Instructions 


Description 


Specify the Salesforce Assertion Consumer Service URL assigned to a 
particular client.In the Salesforce administration tool, this is the value 
identified as the Salesforce.com Login URL on the Single Sign-On 
Settings page. 


Displays the metadata for the connector. You can view or download the 
metadata. If you have not saved the connector, the system creates the 
SAML 2.0 metadata using the values provided and other values from the 
connector. 


Uploads a signing certificate file to secure communication between Access 
Manager and Salesforce. Or it displays the content of the signing certificate 
if you have saved the connector. 


The system automatically adds this new certificate to the trust store for 
Administration Console. However, this new certificate is not automatically 
added to the trust store for the IDP cluster. 


IMPORTANT: You must manually add this signing certificate to the IDP 
Cluster trust store or the health of the IDP cluster turns yellow and users do 
not see this new appmark when they log in to the User Portal page. For 
more information, see “Managing Certificates and Keystores” in the NetIQ 
Access Manager 4.3 Administration Guide. 


Allows you to see and manage the attributes that are part of the SAML 2.0 
assertion. 


NOTE: The Advanced Setup does not appear until you save the connector. 


Select the appropriate attribute from Salesforce for the ID of the users. 
Typically, the user’s email address is the user ID for Salesforce. 


(Conditional) If you have configured Just-in-Time provisioning, you must add 
an additional attribute map. For more information, see Section 9.4, 
“Provisioning Users to Salesforce,” on page 42. 


Allows you to control who has access to the application. 


NOTE: The Advanced Setup does not appear until you save the connector. 


Select the role assignments to determine the user accessibility of this 
application. The Role assignments made in the Appmark editor determine 
the user visibility of the appmarks associated with this application not the 
accessibility of the application. 


Select the contracts presented to users when they click the appmark. The 
users see these contract unless the contract is satisfied during login or 
through the authentication levels. 


Displays the metadata information from Access Manager to use in 
Salesforce to create the federated connection. 


Allows you to view or download the metadata information from Access 
Manager to create the federated connection. 


Allows you to view or download the signing certificate from Access Manager 
to create the federated connection. 


Contains the federation instructions on what you must change or modify in 
Salesforce to create the federated connection. Follow the federated 
instructions. 
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9.4 Provisioning Users to Salesforce 


To have single sign-on work, the users must have an account in Salesforce. This means you must 
manually create the users in Salesforce or configure the Just-In-Time provisioning feature in 
Salesforce. 


Just-in-Time provisioning automatically creates an account for the user the first time they log in to 
Salesforce by using the SAML 2.0 assertion from Access Manager. 


To use Just-in-Time provisioning, you must make configuration changes in both Salesforce and 
Access Manager. Ensure that you have read the documentation from Salesforce for Just-in-Time 
provisioning before proceeding. For more information, see About Just-in-Time Provisioning for SAML. 


NOTE: User account names in Salesforce are in email form. Ensure that the value for the 
User .Username attribute in the SAML 2.0 assertion is in the form an email. 


Configuring Just-in-Time provisioning: 


1 Inthe Salesforce, configure the Single Sign-On (SSO) settings. 
1a Configure the following fields: 
SAML Identity Type: Select Assertion contains the Federation ID from the User object. 
User Provisioning Enable: Select this option. 
User Provisioning Type: Select Standard. 
1b Save your changes. 
1c From Salesforce, download the metadata. 


2 Configure the connector for Salesforce. For more information, see Section 9.2, “Configuring the 
Connector for Salesforce,” on page 40. 


3 Create a new attribute set between Access Manager and Salesforce. 
3a In the Administration Console, click Devices > Identity Servers. 
3b Click Shared Settings. 
3c Under Attribute Sets, click New. 
3d Create an attribute set to map attributes between Access Manager and Salesforce. 
3d1 Specify a name for the attribute set, then click Next. 
3d2 Click New, then use the following information to create an attribute mapping: 
Local attribute: Select Ldap Attribute:mail. 
Remote attribute: Specify User .Email. 
3d3 Leave all of the other fields to the default values, then click OK. 
3d4 Click New, then use the following information to create an attribute mapping: 
Local attribute: Select Ldap Attribute:sn. 
Remote attribute: Specify User . LastName. 
3d5 Leave all of the other fields to the default values, then click OK. 
3d6 Click New, then use the following information to create an attribute mapping: 
Local attribute: Select Ldap Attribute:cn. 
Remote attribute: Specify User .Username. 


3d7 Leave all of the other fields to the default values, then click OK. 
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3d8 Click New, then select Constant. 


3d9 Use the following information to create a constant defining what type of Salesforce 
account the users have: 


Constant: Specify the profile type for the users account. For example, Chatter Free 
User. 


Remote attribute: Specify User .Profileld. 
3d10 Leave all of the other fields to the default values, then click OK. 
3d11 Click Finish, then Close. 
4 Add the attribute map created in Step 3 to the Service Provider for Salesforce. 


4a In Administration Console, click Devices > Identity Servers, then select the Identity Server 
running the connector for Salesforce. 


4b Click the Trusted Providers tab. 

4c In the Service Providers list, click the Salesforce service provider. 

4d Click the Attributes. 

4e In the Attributes set field, select the attribute map you created in Step 3d1. 


4f Select all of the four attributes in the Available panel, then click the left arrow to add the 
attribute to the Send with authentication panel. 


4g Click OK twice. 

4h In the Status field next to the Identity Server name, click Update. 
With this configuration, the SAML 2.0 assertion sent by Access Manager contains all of the 
information required to create an account for a user in Salesforce. The first time a user logs in to the 


User Portal and clicks on the appmark for Salesforce, Salesforce creates an account and the user is 
authenticated. 


IMPORTANT: Ensure that you have populated the local attributes specified in the attribute set in 
Step 3d in the Access Manager user store and that these attributes are in the format required by 
Salesforce. 
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Configuring the Application for 
ServiceNow 


Access Manager provides a connector for ServiceNow that allows you to create a federated 
connection between Access Manager and ServiceNow. The federated connection uses SAML 2.0 to 
help you create a single sign-on experience for your users. 


The connector for ServiceNow simplifies the configuration process to establish a federated 
connection between ServiceNow and Access Manager. When you import and configure the 
connector, Access Manager automatically creates an appmark for the users to use in MobileAccess. 


10.1 Requirements for the Connector for ServiceNow 


To use the connector for ServiceNow, you must meet the following requirements: 
© Ensure you have meet the global requirements for SAML 2.0 connectors. For more information, 
see Section 4.1, “Global Requirements for SAML 2.0 Connectors,” on page 21. 
O A ServiceNow administrator account. 
O The ServiceNow instance name for your company. 


©) Read through and understand the single sign-on documentation from ServiceNow. For more 
information, see SAML setup. 


O The connector for ServiceNow does not provision user account. You must create user accounts 
in ServiceNow that match the user account in the identity store for single sign-on to function. 


To configure a federated connection between Access Manager and ServiceNow, you must use the 
federation instructions you obtain when you configure the connector. The federation instructions 
contain metadata specific to Access Manager, certificates, and any other information you need to 
properly configure the federated connection. 


10.2 Configuring the Connector for ServiceNow 


The connector for ServiceNow creates a SAML 2.0 connection between Access Manager and 
ServiceNow. The connector helps you create a federated connection between Access Manager and 
ServiceNow so when your users log in to the User Portal page, they only have to authenticate once. 
For more information, see Section 1.2, “Understanding Federated Single Sign-On with SAML 2.0,” on 
page 11. 


To configure the connector for ServiceNow: 


1 Log in to Administration Console as an administrator. 
2 Inthe Dashboard, under Administrative Tasks, click Applications. 


3 (Conditional) Select the appropriate IDP cluster to use application. If you only have one IDP 
cluster, there is nothing to select. 
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4 Click the plus sign + to import the SAML 2.0 connector for ServiceNow. 


4a Click Add Application from Catalog, then search for the SAML 2.0 connector for 


ServiceNow. 


For more information, see Chapter 2, “Using the Application Connector Catalog,” on 


page 15. 


or 


4b Click Import Application from File, then browse to and select the file. 


5 Configure the connector for ServiceNow following the prompts. 


For more information, see Section 10.3, “Understanding the Configuration Options for the 
Connector for ServiceNow,” on page 46. 


6 Click Save. 


Understanding the Configuration Options for the 
Connector for ServiceNow 


The Applications page populates a number of fields for you. It is able to use information in your 
environment to help populate the metadata and other fields. The information in the Federation 
Instructions is specific to your environment. 


Table 10-1 Connector for ServiceNow Configuration Options 


Options 
Name 


Description 


Change Image 


Application Connector Setup 


Application Connector Setup > 


Instance name 


Application Connector Setup > 
Metadata 


Description 


Specify a name for the connector for ServiceNow. 


(Optional) Specify a description on the connector for ServiceNow. You could 
have two connectors for ServiceNow so ensure to use a unique name anda 
description to help determine the differences between the connectors. 


(Optional) Change the default image that the User Portal page displays to 
the users. Each connector contains a default image. You can change that 
image to any image you want. The maximum image size is 200 x 200 pixels 
and the ideal image size is 100 x 100 pixels. You can use an image from the 
Image Gallery or upload your own image. 


This section displays the metadata information Access Manager requires 
from ServiceNow to create the federated connection. 


NOTE: The Advanced Setup does not appear until you save the connector. 


Specify the ServiceNow instance name for your company which is also the 
hostname portion of the ServiceNow URL. For example, https://your- 
instance-name.service-now.com/ 


Displays the metadata for the connector. You can view or download the 
metadata. If you have not saved the connector, the system creates the 
SAML 2.0 metadata using the values provided and other values from the 
connector. 
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Options 


Application Connector Setup > 
Signing Certificate 


Attributes 


Attributes > Subject/NamelD 


Access and Roles 


Access and Roles > Roles 


Access and Roles > Contracts 


System Setup 


System Setup > Metadata 


System Setup > Signing 
Certificate 


System Setup > Federation 
Instructions 


Description 


Uploads a signing certificate file to secure communication between Access 
Manager and ServiceNow. Or it displays the content of the signing 
certificate if you have saved the connector. 


The system automatically adds this new certificate to the trust store for 
Administration Console. However, this new certificate is not automatically 
added to the trust store for the IDP cluster. 


IMPORTANT: You must manually add this signing certificate to the IDP 
Cluster trust store or the health of the IDP cluster turns yellow and users do 
not see this new appmark when they log in to the User Portal page. For 
more information, see “Managing Certificates and Keystores” in the NetIQ 
Access Manager 4.3 Administration Guide. 


Allows you to see and manage the attributes that are part of the SAML 2.0 
assertion. 


NOTE: The Advanced Setup does not appear until you save the connector. 


Select the appropriate attribute from ServiceNow for the name identifier of 
the users. 


Allows you to control who has access to the application. 


NOTE: The Advanced Setup does not appear until you save the connector. 


Select the role assignments to determine the user accessibility of this 
application. The Role assignments made in the Appmark editor determine 
the user visibility of the appmarks associated with this application not the 
accessibility of the application. 


Select the contracts presented to users when they click the appmark. The 
users see these contract unless the contract is satisfied during login or 
through the authentication levels. 


Displays the metadata information from Access Manager to use in 
ServiceNow to create the federated connection. 


You can view or download the metadata information from Access Manager 
to create the federated connection. 


You can view or download the signing certificate from Access Manager to 
create the federated connection. 


Contains the federation instructions on what you must change or modify in 
ServiceNow to create the federated connection. Follow the federated 
instructions. 
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11.1 


11.2 


Configuring the Application for Zoho 
Apps 


Access Manager provides a connector for Zoho Apps that allows you to create a federated 
connection between Access Manager and Zoho Apps. The federated connection uses SAML 2.0 to 
help you create a single sign-on experience for your users. 


The connector for Zoho Apps simplifies the configuration process to establish a federated connection 
between Zoho Apps and Access Manager. When you import and configure the connector, Access 
Manager automatically creates an appmark for the users to use in MobileAccess. 


Requirements for the Connector for Zoho Apps 


To use the connector for Zoho Apps, you must meet the following requirements: 
O Ensure you have meet the global requirements for SAML 2.0 connectors. For more information, 
see Section 4.1, “Global Requirements for SAML 2.0 Connectors,” on page 21. 
© A Zoho Apps administrator account. 


© Read through and understand the SAML Authentication documentation from Zoho. For more 
information, see SAML Authentication. 


O The Zoho domain name for your company. 


O The connector for Zoho Apps does not provision user account. You must create user accounts in 
Zoho Apps that match the user account in the identity store for single sign-on to function. 


To configure a federated connection between Access Manager and Zoho Apps, you must use the 
federation instructions you obtain when you configure the connector. The federation instructions 
contain metadata specific to Access Manager, certificates, and any other information you need to 
properly configure the federated connection. 


Configuring the Connector for Zoho Apps 


The connector for Zoho Apps creates a SAML 2.0 connection between Access Manager and Zoho 
Apps. The connector helps you create a federated connection between Access Manager and Zoho 
Apps so when your users log in to the User Portal page, they only have to authenticate once. For 
more information, see Section 1.2, “Understanding Federated Single Sign-On with SAML 2.0,” on 
page 11. 


To configure the connector for Zoho Apps: 


1 Log in to Administration Console as an administrator. 
2 Inthe Dashboard, under Administrative Tasks, click Applications. 


3 (Conditional) Select the appropriate IDP cluster to use application. If you only have one IDP 
cluster, there is nothing to select. 
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4 Click the plus sign + to import the SAML 2.0 connector for Zoho Apps. 


4a Click Add Application from Catalog, then search for the SAML 2.0 connector for Zoho 


Apps. 


For more information, see Chapter 2, “Using the Application Connector Catalog,” on 


page 15. 
or 


4b Click Import Application from File, then browse to and select the file. 


5 Configure the connector for Zoho Apps following the prompts. 


For more information, see Section 11.3, “Understanding the Configuration Options for the 
Connector for Zoho Apps,” on page 50. 


6 Click Save. 


Understanding the Configuration Options for the 
Connector for Zoho Apps 


The Applications page populates a number of fields for you. It is able to use information in your 
environment to help populate the metadata and other fields. The information in the Federation 
Instructions is specific to your environment. 


Table 11-1 Connector for Zoho Apps Configuration Options 


Options 
Name 


Description 


Change Image 


Application Connector Setup 


Application Connector Setup > 
Customer domain 


Application Connector Setup > 
Metadata 


Description 


Specify a name for the connector for Zoho Apps. 


(Optional) Specify a description on the connector for Zoho Apps. You could 
have two connectors for Zoho Apps so ensure to use a unique name anda 
description to help determine the differences between the connectors. 


(Optional) Change the default image that the User Portal page displays to 
the users. Each connector contains a default image. You can change that 
image to any image you want. The maximum image size is 200 x 200 pixels 
and the ideal image size is 100 x 100 pixels. You can use an image from the 
Image Gallery or upload your own image. 


This section displays the metadata information Access Manager requires 
from Zoho Apps to create the federated connection. 


NOTE: The Advanced Setup does not appear until you save the connector. 


Specify the Zoho domain you provided when you set up your Zoho domain. 


Displays the metadata for the connector. You can view or download the 
metadata. If you have not saved the connector, the system creates the 
SAML 2.0 metadata using the values provided and other values from the 
connector. 
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Options 


Application Connector Setup > 
Signing Certificate 


Attributes 


Attributes > Subject/NamelD 


Access and Roles 


Access and Roles > Roles 


Access and Roles > Contracts 


System Setup 


System Setup > Metadata 


System Setup > Signing 
Certificate 


System Setup > Federation 
Instructions 


Description 


Uploads a signing certificate file to secure communication between Access 
Manager and Zoho Apps. Or it displays the content of the signing certificate 
if you have saved the connector. 


The system automatically adds this new certificate to the trust store for 
Administration Console. However, this new certificate is not automatically 
added to the trust store for the IDP cluster. 


IMPORTANT: You must manually add this signing certificate to the IDP 
Cluster trust store or the health of the IDP cluster turns yellow and users do 
not see this new appmark when they log in to the User Portal page. For 
more information, see “Managing Certificates and Keystores” in the NetIQ 
Access Manager 4.3 Administration Guide. 


Allows you to see and manage the attributes that are part of the SAML 2.0 
assertion. 


NOTE: The Advanced Setup does not appear until you save the connector. 


Select the appropriate attribute from Zoho Apps for the ID of the users. 
Typically, the user’s email address is the user ID for Zoho Apps. 


Allows you to control who has access to the application. 


NOTE: The Advanced Setup does not appear until you save the connector. 


Select the role assignments to determine the user accessibility of this 
application. The Role assignments made in the Appmark editor determine 
the user visibility of the appmarks associated with this application not the 
accessibility of the application. 


Select the contracts presented to users when they click the appmark. The 
users see these contract unless the contract is satisfied during login or 
through the authentication levels. 


Displays the metadata information from Access Manager to use in Zoho 
Apps to create the federated connection. 


You can view or download the metadata information from Access Manager 
to create the federated connection. 


You can view or download the signing certificate from Access Manager to 
create the federated connection. 


Contains the federation instructions on what you must change or modify in 
Zoho Apps to create the federated connection. Follow the federated 
instructions. 
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